Welcome to my information security blog. I hope the information I publish and comments I provide can offer some insight, for better or worse, into current industry trends, technologies, and innovations.
One of the purposes for this blog is to encourage creative and constructive dialogue, so feel free to comment. If you do, please provide your name.
If you have any feedback or would like to contact me offline, don't hesitate to email me: mike[@]cloppert[.]org

2005-02-04

Communications, Privacy Laws, and Security

As far back as 1997, I can remember Voice-over-IP, or VoIP, being called the "next big thing." Today, it seems the prophecies are finally coming true. Unfortunately, the widespread adoption of this technology stands to throw into complete disarray the boundaries of privacy laws intended to protect citizens, and the remediation could have a significant impact on the security industry.

Confusion over the application of the Federal Wiretap Act of 1968has already arisen with regard to Instant Messaging, and this is a good starting point for a discussion on privacy in a digital environment like the Internet. If I am chatting on AIM from my home computer, sending personal messages to a friend who is at work, the conversation may be recorded. In fact, there is an emerging niche market of products designed specifically for such a purpose. The argument for such monitoring goes like this: every organization has a right (and sometimes obligation) to monitor the use of their computers and networks. There are many reasons for this, not the least of which is making sure sensitive information is not leaked. If someone happens to be chatting up a storm on IM and personal information gets logged, well, too bad. That individual knows the rules. On the other hand, as the user at home, I have no intention of my message being seen by anyone other than the recipient, and I have no way of knowing that my friend is on a network that might be monitored. On its face, mine seems to be the kind of situation for which the Privacy Act was designed, however there is little to no precedent either way. And unlike email, which already has a strange judicial precedent, the technology is not store-and-forward, so the one existing ruling regarding Internet communications cannot be applied. Now, I should know that IM conversations are easily read by third parties, but difficulty of the act of intercepting a conversation has nothing to do with its legality.

These privacy and legal concerns are quickly being realized by adopters of VoIP, except now the technology impacted completely mimics the type of technology the Wiretap Act was meant to protect: voice communications. Every time packets of VoIP data are sent over the Internet, they are most likely being analyzed by packet loggers, IDS's, and a variety of other network monitoring gear. The privacy of this data is entirely in the hands of the people who configured the devices, and the logging of this data falls into the same huge gray area as our IM conversation above. Furthermore, it would be easy to build products to monitor this data in a comprehensive manner, as with the IM conversation recorders above. After all, why not? It's the same communication paradigm: packets of communication data being sent in TCP packets over an IP network. The only difference here is that a person's voice, not fingers, generated the message.

What we have here is quite a conundrum. It's obvious that the current ambiguity with respect to privacy laws cannot last. Lines will be drawn, whether they be in the form of legislation or judicial precedent, and there is a good chance it will make the job of information security analysts considerably more difficult.

I believe that privacy laws are an important part of our democracy in the United States. That being said, security and privacy are often at odds with each other, and some would argue that this is even a zero-sum-game. If you gain security, you lose privacy, and vice versa. Consider what would happen to the job of security analysts if it is determined that neither IM nor VoIP conversations may be monitored. Intrusion detection systems would need to ignore such traffic. However, this leaves a significant gap through which an attacker could penetrate a network, as vulnerabilities are found in the associated protocols or their implementations. As an analyst, I cannot both monitor for malicious traffic and protect peoples' privacy! Any false positive that alarms on normal communication, or any attack that may also lead to the capture of benign traffic, would expose me or my organization to lawsuits. The contrary is just as concerning, as it would be a significant blow to privacy laws in the United States.

The only way to prevent this worst-case scenario is to make sure those who draw the lines in the sand, those who make the laws and set judicial precedent, make exceptions for legitimate and necessary monitoring of network traffic. It is equally important that these exceptions are well-defined, and do not create the potential for loopholes or abuse. In the interim, we must rely on the software and hardware vendors to assist in any way they can. A method for adding legal disclaimers on all IM's entering and leaving a monitored network would be a good place to start. Something similar for VoIP would be very difficult, given the backward-compatibility with POTS systems, but even a brief 2-second "this call may be monitored by networking devices" would work. Of course, there is currently no incentive for companies to install such devices, should they exist. The problem is a complex one, and watching the solution develop in time will be just as exciting as it will be scary.

No comments:

About Me

I have been employed in various information technology fields since 1997, and in information security since 2001. I have an undergrad degree in Computer Engineering from the University of Dayton, received various industry certifications (GCIA, GREM, GCFA, etc.), and am currently pursuing a MS in Computer Science from George Washington University. I have lectured on various information security topics to IEEE, internal organization-wide IT conferences, and the annual Department of Defense Cybercrime Convention. My international work experience consists of training on general information security topics and IDS design/implementation onsite in Egypt, Israel, and India, as well as providing incident response assistance in the Far East. I have been a contributing editor to incident response procedures for two major organizations, and have been involved in digital forensic investigations since 2001. Currently, my work consists of security-related research and development, covering topics from vulnerability and exploit reverse engineering to implementation of security technologies, as well as digital forensics for an enterprise Computer Incident Response Team.